mirror of
https://github.com/shazow/ssh-chat.git
synced 2025-04-04 19:30:07 +03:00
621ae1b0d3
* move loading whitelist+ops from file to auth and save the loaded files fro reloading * add /whitelist command with lots of open questions * add test for /whitelist * gofmt * use the same auth (the tests don't seem to care, but htis is more right) * mutex whitelistMode and remove some deferred TODOs * s/whitelist/allowlist/ (user-facing); move helper functions outside the handler function * check for ops in Auth.CheckPublicKey and move /allowlist handling to helper functions * possibly fix the test timeout in HostNameCollision * Revert "possibly fix the test timeout in HostNameCollision" (didn't work) This reverts commit 664dbb0976f8f10ea7a673950a879591c2e7c320. * managed to reproduce the timeout after updating, hopefully it's the same one * remove some unimportant TODOs; add a message when reverify kicks people; add a reverify test * add client connection with key; add test for /allowlist import AGE * hopefully make test less racy * s/whitelist/allowlist/ * fix crash on specifying exactly one more -v flag than the max level * use a key loader function to move file reading out of auth * add loader to allowlist test * minor message changes * add --whitelist with a warning; update tests for messages * apparently, we have another prefix * check names directly on the User objects in TestHostNameCollision * not allowlisted -> not allowed * small message change * update test
97 lines
1.8 KiB
Go
97 lines
1.8 KiB
Go
package sshchat
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"crypto/rsa"
|
|
"testing"
|
|
|
|
"golang.org/x/crypto/ssh"
|
|
)
|
|
|
|
func NewRandomPublicKey(bits int) (ssh.PublicKey, error) {
|
|
key, err := rsa.GenerateKey(rand.Reader, bits)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return ssh.NewPublicKey(key.Public())
|
|
}
|
|
|
|
func ClonePublicKey(key ssh.PublicKey) (ssh.PublicKey, error) {
|
|
return ssh.ParsePublicKey(key.Marshal())
|
|
}
|
|
|
|
func TestAuthAllowlist(t *testing.T) {
|
|
key, err := NewRandomPublicKey(512)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
auth := NewAuth()
|
|
err = auth.CheckPublicKey(key)
|
|
if err != nil {
|
|
t.Error("Failed to permit in default state:", err)
|
|
}
|
|
|
|
auth.Allowlist(key, 0)
|
|
auth.SetAllowlistMode(true)
|
|
|
|
keyClone, err := ClonePublicKey(key)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if string(keyClone.Marshal()) != string(key.Marshal()) {
|
|
t.Error("Clone key does not match.")
|
|
}
|
|
|
|
err = auth.CheckPublicKey(keyClone)
|
|
if err != nil {
|
|
t.Error("Failed to permit allowlisted:", err)
|
|
}
|
|
|
|
key2, err := NewRandomPublicKey(512)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
err = auth.CheckPublicKey(key2)
|
|
if err == nil {
|
|
t.Error("Failed to restrict not allowlisted:", err)
|
|
}
|
|
}
|
|
|
|
func TestAuthPassphrases(t *testing.T) {
|
|
auth := NewAuth()
|
|
|
|
if auth.AcceptPassphrase() {
|
|
t.Error("Doesn't known it won't accept passphrases.")
|
|
}
|
|
auth.SetPassphrase("")
|
|
if auth.AcceptPassphrase() {
|
|
t.Error("Doesn't known it won't accept passphrases.")
|
|
}
|
|
|
|
err := auth.CheckPassphrase("Pa$$w0rd")
|
|
if err == nil {
|
|
t.Error("Failed to deny without passphrase:", err)
|
|
}
|
|
|
|
auth.SetPassphrase("Pa$$w0rd")
|
|
|
|
err = auth.CheckPassphrase("Pa$$w0rd")
|
|
if err != nil {
|
|
t.Error("Failed to allow vaild passphrase:", err)
|
|
}
|
|
|
|
err = auth.CheckPassphrase("something else")
|
|
if err == nil {
|
|
t.Error("Failed to restrict wrong passphrase:", err)
|
|
}
|
|
|
|
auth.SetPassphrase("")
|
|
if auth.AcceptPassphrase() {
|
|
t.Error("Didn't clear passphrase.")
|
|
}
|
|
}
|